2a887dc5652edfbea0ca2561f67b6e60491d01085cd92c26d27e4ff799493cdf

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6938354e8ae8d533807edf2cfd0e1c5c_JaffaCakes118.html
Size

64KB
MD5

6938354e8ae8d533807edf2cfd0e1c5c
SHA1

5c0e82cdd5cc83d37972ac75a09e54e5deda16d9
SHA256

2a887dc5652edfbea0ca2561f67b6e60491d01085cd92c26d27e4ff799493cdf
SHA512

edd20f7e8c98532dad4ac829629637f87a61bf20c67b603be937f5a33f9ecfc4846cd6eeb73dc0c1273f153bd367842fbda29791fc6b72cbc9dabe8eb3248f4b
SSDEEP

768:N3hyiPSO2ottCzIQcynzN8GaKz5GjujRi3T7i8yNtaHR+c6Hw9MPltWK2SnNw:N34ih2qtC8RynzGRAwaX7hQotWF

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3480 msedge.exe
3480 msedge.exe
4056 msedge.exe
4056 msedge.exe
3044 msedge.exe
3044 msedge.exe
3044 msedge.exe
3044 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4056 msedge.exe
4056 msedge.exe
4056 msedge.exe
4056 msedge.exe

pid	process
3480	msedge.exe
3480	msedge.exe
4056	msedge.exe
4056	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe
4056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4056 wrote to memory of 3364	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3364	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3092	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3480	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3480	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe
PID 4056 wrote to memory of 3648	4056	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6938354e8ae8d533807edf2cfd0e1c5c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffed41746f8,0x7ffed4174708,0x7ffed4174718
2⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2
2⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
2⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
2⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
2⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,15676898116236233598,3225656662908777615,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5196 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
1277f7d43a0c8e0cec857f31f3799411

SHA1
0d6229f06687c8fe492e0c893180a26c23359273

SHA256
5669b6b98635049f34957221e2a4af5ac4bb75e45511790dbc464ae36fbcfc89

SHA512
8786866b77e57fd36040c1c67618f71802f5ae525ee1b48d3acdfbb9969f93ec7096469a9edd50ab37af176aa7d5be4a5e0bd9e5436f040bbe847903db37b07d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
8897409d220c817cd35432038a669a14

SHA1
0d90d122683d44b8ac465bba39ae3e4231734786

SHA256
db2b2dd87451b6aef5a2c5a5e5d5e6d0fdd2b80c8f418e25d39bc25f0eeb9089

SHA512
f4b77aeb9cbd66a2417562f2828080d002bdf77a3cc5e5aa5d0bd577abe8ceb0ba3e7884145c3a8a6c8c29adab663c3a6620c5ed99640a5e31f265fcc22889f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
3601091b7d09733da23df45099517afc

SHA1
b7b1fd56b8c4f3adbda3cc6986f9fa79f88b2fb1

SHA256
a4a2672b335dcfa39df53b5f91a3f2c9791926ba496190f730e60ba72cf01776

SHA512
1e4923fdd3871cad546493ebf928ebd97b74b753762c46d89952e6e451f8383faa21635035ff16c1ed3a817bcb2fd51fd28c4adf027c707fcc765039c7e1810f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0d6c91311e28151f4ac28859f3c6b231

SHA1
4541bb604fb57cb610903936a153c0f71f907c20

SHA256
842b5e70777371aed860af3ab4063a21d7c75447761fb58d4f2750a59d74fe2e

SHA512
59e596f3e8f43720ca5de9875728d608512e92b924770ea907fb6b6c7ce29491883dbd96a5e705a0e3b26fc659a5620552dbcf3325a6d4cb638687b9c41c941b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9245ec67b3c8816d357af6e005532eb5

SHA1
8093c3e500a230776df6bd2c6c998d892ccb566b

SHA256
5087d83d0794f6bf68f1ec32f6dfc79c81df04f7b84495f79ac1157fea57b5c3

SHA512
cf4c9a83191be53ec45114e7305591790e574ee114cc9dc43fa662230e0ee1bd751ce3303d54e1b4ba9d8efb11e35e36abce06395448ade58c03f7817830947b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ee75b4c97d5170179e2fe8044410d2fa

SHA1
dce8c7130375c9c687c85442110b43b76859a941

SHA256
ca1434c1025486f645c712f18b4767553d8e0c26f56196e75e7dff0194bc8a0c

SHA512
3e2665fe2bbd75976851f89dc1b6539c8f66f94e61d7dd5ce72fc3d6e1091a24f206c7987538eab291be03604528054fdfd2d9010e897a7f8863d963cc9a6c19

Download Submit
\??\pipe\LOCAL\crashpad_4056_QOIRARHGPCKDDHOC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit